Having just finished two AI/Machine Learning reports (one published and one in edit), it occurred to me that the problems reported by ProPublica in this article represent a great use case of machine learning tools that could reduce the impact of similar attacks. I hope some of the brilliant AI developers out there will take it upon themselves to address this attack:
“In August, my email was attacked. Hate groups overwhelmed my inbox and the inboxes of two of my colleagues, and shut down ProPublica’s email much of the day. (I wrote about this incident in a previous newsletter.)
This week I wrote about the low cost and high effectiveness of such attacks. The assault on ProPublica — a type known as “email bombing” or “subscription bombing” — exploited the proliferation of websites that offer email sign-ups. The attacker uses an automated program — which costs just $5 on online hacking forums — that enters the victim’s email into every single sign-up form it can find. Then the victim’s inbox is deluged with emails seeking to confirm the sign-up.
In other words, my story shows how harassers have found ways to exploit yet another opening in web infrastructure. And despite its limited sophistication, email bombing is extremely difficult to defend against.”
If every email list added a captcha then this method of attack could be prevented altogether, but it is unlikely email subscription lists will all adopt captchas:
“A widely respected anti-spam service recommended that the “single best thing that can be done” would be for email lists to include a test known as a CAPTCHA to distinguish between human and automated sign-ups. Most internet users know CAPTCHAs as the squiggly words or sequence of photos they are asked to identify.
Unfortunately, not every web form uses CAPTCHAs. After all, email list managers are not in the business of making it harder for people to receive their missives, especially when the people harmed by the sham sign-ups are not their clients.
The email industry is working on a solution that it hopes will limit these attacks. The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) has asked bulk email senders to identify subscription confirmation emails with a special technical header. That would allow email services to filter and block confirmation emails during a subscription attack.
But not all email senders are likely to adopt the standard, and not all open web forms are managed by bulk email senders. So here are a few things I learned in my reporting that could help guard against ‘email bombs.’ ”
However, the emails that are sent to confirm a subscription are all very similar in form and content, making them easy to detect by human eye or by a machine learning tool. So someone should train a machine learning tool to detect subscription verification messages, not as emails, but within the SMTP protocol used to move the message between email nodes. This tool could then be assigned a threshold, such as 4 a minute, after which every email message identified as a subscription verification message is diverted to a holding tank.
If a company has limited network bandwidth and the email server is behind the companies firewall, this solution will not prevent the network from becoming overloaded since all of the verification messages will be routed to your server. However, if you utilize an email service from a provider such as Rackspace or Microsoft and they implement this approach, the solution would eliminate the problem specific to an individual email domain such as ProPublica.
OK Open Source guru’s, we need your help!
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story here